Python Raises Bar On Code Quality

The open source Python programming language has continued to steadily improve its code quality in recent years and now surpasses that of its open source and proprietary peers, according to a study published by development testing vendor Coverity.

“The Coverity platform is part of the Python build system,” Zack Samocha, senior director of product management at Coverity, told eWEEK. “As their code changes, a new build is submitted to the Scan service and new defects are then sent to Python to be fixed.”

Code scanning

Coverity’s code-scanning system for open-source projects, including Python, has been in place since 2006, when the effort was first funded by the US Department of Homeland Security (DHS). The original DHS funding grant was only for a three-year term, and since its expiration, Coverity has been funding the open-source code scanning on its own.

According to Coverity, the average defect density across all the open-source software that it measures is 0.69 defects per thousand lines of code. Python, which does better than the average, comes in at 0.005 defects per thousand lines of code. So far in 2013, Coverity’s scanning technology has analysed more than 396,000 lines of code in the latest builds of Python 3.3.2. That analysis has led to 181 new defects being identified. For the year to date, Python developers have already fixed 278 defects.

“The disparity between the number of defects fixed and the number of defects identified was due to a backlog of defects,” Samocha said.

‘Double-free’ defects

One of the more interesting defects that Coverity identified in Python that developers have since fixed is a “double-free” defect.

“‘Double free’ means that you allocate memory for a pointer, and then you free the memory twice,” Samocha explained. “This can cause memory corruption, which can lead to unexpected behaviors or program crashes.”

Python is doing a number of things to achieve its low defect density score, said Samocha, adding that Python is truly committed to quality.

“They’ve added the Coverity platform to their core development process, and they’ve invested in educating their developers on how to best leverage the Coverity platform,” Samocha said. “In our opinion, they are doing a great job.”

Are you a security pro? Try our quiz!

Originally published on eWeek.